b"               U.S. ENVIRONMENTAL PROTECTION AGENCY\n               OFFICE OF INSPECTOR GENERAL\n\n\n\n                                              Catalyst for Improving the Environment\n\n\nEarly Warning Report\n\n             EPA Should Use FMFIA to\n             Improve Programmatic Operations\n             Report No. 09-P-0203\n\n             August 6, 2009\n\n\n\n\n   GAO                                                                     FMFIA\n Standards\n\n\n\n\n   OMB                                                                     EPA\n  Circular                                                                 Order\n   A-123                                                                  1000.24\n\x0cReport Contributors:                               Patrick Gilbride\n                                                   Erin Barnes-Weaver\n                                                   Karen L. Hamilton\n                                                   Bryan Holtrop\n                                                   Mary Anne Strasser\n\n\n\n\nAbbreviations\n\nEPA            U.S. Environmental Protection Agency\nFMFIA          Federal Managers\xe2\x80\x99 Financial Integrity Act\nFY             Fiscal Year\nGAO            Government Accountability Office\nGPRA           Government Performance and Results Act\nNPM            National Program Manager\nOCFO           Office of the Chief Financial Officer\nOIG            Office of Inspector General\nOMB            Office of Management and Budget\nOPPTS          Office of Prevention, Pesticides, and Toxic Substances\nORD            Office of Research and Development\nOSWER          Office of Solid Waste and Emergency Response\nPART           Program Assessment Rating Tool\n\n\n\n\nCover photo:     Cover of EPA guidance document, Management Integrity at EPA: A\n                 Manager\xe2\x80\x99s \xe2\x80\x9cHow To\xe2\x80\x9d Guide for Program Reviews: Seeing the Forest and the\n                 Trees (EPA-205-B-96-001, March 1996), and other management integrity\n                 guidance.\n\x0c                       U.S. Environmental Protection Agency                                    Report No. 09-P-0203\n                                                                                                     August 6, 2009\n                       Office of Inspector General\n\n\n                       At a Glance\n                                                                         Catalyst for Improving the Environment\n\n\nWhy We Did This Review           EPA Should Use FMFIA to\nWe conducted this review to      Improve Programmatic Operations\ndetermine how the U.S.\nEnvironmental Protection          What We Found\nAgency (EPA) develops\nannual guidance under the        EPA has not implemented and used FMFIA to improve program operations, as\nFederal Managers\xe2\x80\x99 Financial      intended by federal and Agency guidance. Although EPA offices rely on annual\nIntegrity Act (FMFIA). We        guidance that the Office of the Chief Financial Officer (OCFO) issues,\nasked whether EPA offices\nintegrate FMFIA internal\ncontrol standards into           \xef\x82\xb7   EPA offices have not developed internal control review strategies that include\nprogrammatic operations. We          elements such as the Government Performance and Results Act (GPRA);\nalso asked whether offices use   \xef\x82\xb7   OCFO\xe2\x80\x99s guidance and training have not provided staff and managers with\nGovernment Accountability            adequate awareness of GAO\xe2\x80\x99s internal control standards;\nOffice (GAO) guidance to         \xef\x82\xb7   OCFO\xe2\x80\x99s guidance, until recently, has not required offices to report on\ndevelop and monitor internal\ncontrols.                            compliance with all GAO standards; and\n                                 \xef\x82\xb7   OCFO did not devote needed resources to validate assurance letters.\nBackground\n                                 Per Agency guidance, OCFO is responsible for ensuring and implementing a\nFMFIA requires federal           strategy for validating EPA\xe2\x80\x99s compliance with FMFIA. However, OCFO relies on\nagency managers to annually      Assistant and Regional Administrators to verify letters\xe2\x80\x99 program elements before\nevaluate and indicate whether    certifying them. EPA offices view FMFIA reporting as an administrative task,\ntheir agencies\xe2\x80\x99 internal         rather than an opportunity to assess program results and identify risks toward\ncontrols comply with             achieving goals. As a result, the Administrator has little assurance when signing\nstandards prescribed by GAO.\n                                 EPA\xe2\x80\x99s letter that offices reviewed program operations. Additional emphasis on\nFMFIA requirements purport\nto provide reasonable            FMFIA\xe2\x80\x99s importance could result in more certain, documented assurance in the\nassurance that agencies          Agency\xe2\x80\x99s Performance and Accountability Report that EPA programs annually\nmaintain adequate internal       evaluate internal controls to comply with GAO\xe2\x80\x99s standards and deter fraud, waste,\ncontrol systems to prevent       and mismanagement.\nagainst fraud, waste, abuse,\nand mismanagement.\n                                  What We Recommend\n\n                                 We recommended that EPA\xe2\x80\x99s Administrator support internal controls by\n                                 announcing the Fiscal Year (FY) 2010 FMFIA process and requiring that senior\nFor further information,         managers attend training. We also recommended that the Chief Financial Officer\ncontact our Office of            develop comprehensive, tiered FMFIA training for managers and staff; revise the\nCongressional, Public Affairs    internal checklist used as part of the strategy for validating Agency-wide FMFIA\nand Management at                compliance; codify its validation strategy; and develop FY 2010 FMFIA guidance\n(202) 566-2391.\n                                 that contains OCFO FY 2009 supplemental guidance. EPA initially agreed with\nTo view the full report,         all but one of our recommendations. The Agency agreed when we revised that\nclick on the following link:     recommendation\xe2\x80\x99s language to focus on OCFO\xe2\x80\x99s internal tool to validate letters.\nwww.epa.gov/oig/reports/2009/\n20090806-09-P-0203.pdf\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n                                                                                        OFFICE OF\n                                                                                   INSPECTOR GENERAL\n\n\n\n                                          August 6, 2009\n\nMEMORANDUM\n\nSUBJECT:               EPA Should Use FMFIA to Improve Programmatic Operations\n                       Report No. 09-P-0203\n\n\nFROM:                  Melissa M. Heist\n                       Assistant Inspector General for Audit\n\nTO:                    Lisa P. Jackson\n                       Administrator\n                       Office of the Administrator\n\n                       Maryann Froehlich\n                       Acting Chief Financial Officer\n                       Office of the Chief Financial Officer\n\n\nThe Office of Inspector General (OIG) of the U.S. Environmental Protection Agency (EPA)\nconducted this report on the subject audit. This report contains findings that describe problems\nwe identified and corrective actions we recommend. This report represents our opinion and does\nnot necessarily represent the final EPA position. EPA managers will make final determinations\non matters in this report in accordance with established audit resolution procedures.\n\nThe estimated cost of this report \xe2\x80\x93 calculated by multiplying the project\xe2\x80\x99s staff days by the\napplicable daily full cost billing rates in effect at the time \xe2\x80\x93 is $212,476.\n\nAction Required\n\nIn accordance with EPA Manual 2750, EPA\xe2\x80\x99s Audit Management Process, you are required to\nprovide a written response to this report within 90 calendar days. You should include a\ncorrective actions plan for agreed upon actions, including milestone dates. We have no\nobjections to the further release of this report to the public. This report will be available at\nhttp://www.epa.gov/oig.\n\nIf you or your staff has any questions regarding this report, please contact me at (202) 566-0899\nor heist.melissa@epa.gov, or Patrick Gilbride, Director for Audit, Risk and Program\nPerformance Issues, at (303) 312-6969 or gilbride.patrick@epa.gov.\n\x0cEPA Should Use FMFIA to Improve Programmatic Operations                                                   Report No. 09-P-0203\n\n\n\n                                  Table of Contents\n          Purpose ..................................................................................................................   1\n\n          Background ...........................................................................................................       1\n\n          Scope and Methodology .......................................................................................                6\n\n          Findings .................................................................................................................   7\n\n          Conclusion ............................................................................................................. 11\n\n          Recommendations ................................................................................................ 12\n\n          Agency Comments and OIG Evaluation.............................................................. 13\n\n          Status of Recommendations and Potential Monetary Benefits ........................ 14\n\n\n\nAppendices\n          A Agency Response to Draft Report ................................................................. 15\n\n          B Distribution ...................................................................................................... 19\n\x0c                                                                         Report No. 09-P-0203\n\n\nPurpose\n          We conducted this review to determine how EPA develops and uses annual\n          guidance under the Federal Managers\xe2\x80\x99 Financial Integrity Act (FMFIA). We\n          asked whether EPA offices fully integrate internal control standards under FMFIA\n          into their programmatic operations. We also asked whether EPA offices use\n          available Government Accountability Office (GAO) guidance to develop and\n          monitor their internal controls. We found that several EPA offices had not\n          demonstrated compliance with GAO\xe2\x80\x99s Standards for Internal Control in the\n          Federal Government in Fiscal Year (FY) 2008 assurance letters. While EPA\xe2\x80\x99s\n          FY 2009 FMFIA reporting ends in mid-August 2009, we wanted to communicate\n          our observations and recommendations to influence the FY 2009 process and\n          enhance how the Agency develops FY 2010 guidance.\n\nBackground\n          Federal Management Integrity Criteria\n\n          FMFIA requires federal agency managers to establish internal accounting and\n          administrative controls in accordance with standards prescribed by the\n          Comptroller General (hereafter referred to as \xe2\x80\x9cGAO\xe2\x80\x99s Standards\xe2\x80\x9d). FMFIA\n          requires federal agency managers to annually evaluate and report on the\n          effectiveness of internal controls and financial accounting systems in accordance\n          with, respectively, Sections 2 and 4 of FMFIA. FMFIA also requires federal\n          agency managers to annually evaluate, in accordance with Office of Management\n          Budget (OMB) guidelines, whether their agencies\xe2\x80\x99 internal controls comply with\n          GAO\xe2\x80\x99s Standards and issue a statement of assurance and indicate full compliance\n          or non-compliance.\n\n          OMB Circular A-123, dated December 21, 2004, describes federal managers\xe2\x80\x99\n          responsibilities for internal control, stating that management is responsible for\n          establishing and maintaining internal control to achieve the objectives of (1)\n          effective and efficient operations, (2) reliable financial reporting, and (3)\n          compliance with applicable laws and regulations. Appendix A of the Circular\n          requires federal agencies to separately assess effectiveness of internal controls\n          over financial reporting. The Circular also states that \xe2\x80\x9cManagement shall\n          consistently apply the internal control standards to meet each of the internal\n          control objectives and to assess internal control effectiveness.\xe2\x80\x9d OMB Circular A-\n          123 provides guidance to federal managers on meeting requirements of FMFIA.\n          The Circular states that \xe2\x80\x9cInternal control guarantees neither the success of agency\n          programs, nor the absence of waste, fraud, and mismanagement, but is a means of\n          managing the risk associated with Federal programs and operations.\xe2\x80\x9d By\n          including \xe2\x80\x9cprograms and operations,\xe2\x80\x9d OMB emphasized goals set by the\n          organization, risks agencies face in meeting those goals, whether agencies have\n          identified and assessed risks, and whether agencies have taken steps to manage\n          those risks. The Circular requires federal managers to take systematic and\n\n\n                                           1\n\x0c                                                                       Report No. 09-P-0203\n\n\nproactive measures to develop and implement appropriate internal controls for\nresults-oriented management.\n\nThe Circular describes the requirements of FMFIA as \xe2\x80\x9can umbrella under which\nother reviews, evaluations, and audits should be coordinated and considered to\nsupport management\xe2\x80\x99s assertion about the effectiveness of internal control over\noperations, financial reporting, and compliance with laws and regulations.\xe2\x80\x9d\n\xe2\x80\x9cOther reviews\xe2\x80\x9d that FMFIA reporting should coordinate and consider include\nactivities under the Government Performance and Results Act (GPRA), such as\ndeveloping strategic plans, setting performance goals and measures, and reporting\nannually on actual performance results compared to goals. These efforts all\nsupport an overall internal control framework illustrated in Figure 1.1.\n\nFigure 1.1: EPA\xe2\x80\x99s Internal Control Program \xe2\x80\x93 A Visual Overview\n\n\n\n\nSource: EPA training, EPA Internal Control and Management Integrity: Make It Second Nature,\nissued (via EPA\xe2\x80\x99s Intranet) on May 28, 2008 (slide 11 of 21).\n\nAs required by FMFIA, GAO established the Standards for Internal Control in\nthe Federal Government listed in OMB Circular A-123 (see Table 1.1 on the next\npage).\n\nThe Standards provide the overall framework for establishing and maintaining\ninternal control, and for identifying and addressing performance and management\nchallenges and areas at greatest risk of fraud, waste, abuse, and mismanagement.\nThe Standards compose a major part of managing an organization, including\nplans, methods, and procedures used to meet missions, goals, and objectives and,\nin doing so, support performance-based management.\n\n\n                                      2\n\x0c                                                                                               Report No. 09-P-0203\n\n\n                  Table 1.1: GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government\n                  1.        Control      This standard establishes and maintains an environment\n                         Environment     throughout the organization that sets a positive and supporting\n                                         attitude toward internal control and conscientious\n                                         management. This includes establishing goals, objectives,\n                                         and performance measures at the entity and activity level.\n                  2.         Risk        Once the goals, objectives, and measures have been defined,\n                         Assessment      the risks that could impede the efficient and effective\n                                         achievement of those objectives are identified. This includes\n                                         an assessment of the risks the agency faces from both\n                                         internal and external sources. Risk assessment includes\n                                         identifying and analyzing relevant risks associated with\n                                         achieving objectives, such as those defined in strategic and\n                                         annual performance plans developed under GPRA, and form\n                                         a basis for determining how to manage risks. Management\n                                         needs to comprehensively identify risks and should consider\n                                         all significant interactions between the entity and other parties\n                                         as well as internal factors at both the entity-wide and activity\n                                         levels.\n                  3.        Control      These are the policies, procedures, techniques, and\n                           Activities    mechanisms that implement management\xe2\x80\x99s direction toward\n                                         achievement of goals. Internal control activities help ensure\n                                         that management\xe2\x80\x99s directives are carried out.\n                  4.   Information and This standard includes data and information (performance and\n                      Communications financial) to determine whether the organization is meeting its\n                                         goals and objectives and maintaining accountability over\n                                         resources.\n                  5.      Monitoring     Internal control monitoring should assess the quality of\n                                         performance over time and ensure that findings of audits and\n                                         other reviews are promptly resolved.\n                  Source: OIG summary of GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government,\n                  GAO/AIMD-00-21.3.1 (November 1999).\n\n                  EPA Management Integrity Guidance and Policy\n\n                  EPA issued Order 1000.24, Management\xe2\x80\x99s Responsibility for Internal Control, as\n                  the Agency\xe2\x80\x99s strategy for implementing FMFIA. The Order specifies how EPA:\n\n                           \xef\x82\xb7    Prescribes policies, procedures, and standards for internal controls at\n                                EPA.\n                           \xef\x82\xb7    Outlines Agency senior managers\xe2\x80\x99 roles and responsibilities for\n                                developing, implementing, assessing, documenting, improving, and\n                                reporting on internal controls.\n                           \xef\x82\xb7    Incorporates specific requirements for assessing internal controls over\n                                financial reporting.\n                           \xef\x82\xb7    Provides tools to help managers monitor both overall program\n                                progress and the effectiveness of day-to-day operations (e.g., EPA\n                                Management Integrity Principles1).\n\n\n1\n EPA first developed its Management Integrity Principles in 1996. The 10 Principles are (1) guidance, (2)\naccountability, (3) feedback, (4) competency, (5) quality data, (6) separation, (7) comparison, (8) identification,\n\n\n                                                           3\n\x0c                                                                                         Report No. 09-P-0203\n\n\n                 EPA Order 1000.24 requires the Administrator to foster an environment that\n                 supports awareness and compliance with internal controls. EPA\xe2\x80\x99s Order also\n                 requires Assistant and Regional Administrators to develop systematic review\n                 strategies and advises them to use GAO\xe2\x80\x99s Standards as the basis for determining\n                 the effectiveness of internal controls. The Order also requires senior managers to\n                 annually evaluate whether their programs\xe2\x80\x99 internal controls effectively meet\n                 GAO\xe2\x80\x99s Standards and attest to the soundness of internal controls for their\n                 respective organizations. Per EPA\xe2\x80\x99s Order, senior managers annually issue\n                 assurance letters to the Administrator that report results of evaluations and their\n                 programs\xe2\x80\x99 compliance status with GAO\xe2\x80\x99s Standards. The Order requires that\n                 systematic review strategies are consistent and coordinate with Agency-wide\n                 processes used to develop and report on program performance measures and\n                 results, such as GPRA and reviews under OMB\xe2\x80\x99s Program Assessment Rating\n                 Tool (PART). For example, EPA\xe2\x80\x99s Office of the Chief Financial Officer (OCFO)\n                 annually issues National Program Manager (NPM) guidance to promote\n                 consistency, describe priorities and strategies, and report on performance\n                 commitments in order to strengthen planning and accountability processes and\n                 better align measures.\n\n                 The Order further designates senior managers (e.g., Deputy Administrator,\n                 Assistant, and Regional Administrators) to implement internal control\n                 frameworks and assure continual progress to strengthen internal controls\n                 (reported annually in EPA\xe2\x80\x99s Performance and Accountability Report). The\n                 Order also requires senior managers to designate a Management Integrity\n                 Advisor who serves as the organization\xe2\x80\x99s staff contact responsible for\n                 disseminating pertinent information regarding the Agency\xe2\x80\x99s management\n                 integrity program. The Order outlines specific responsibilities for OCFO listed\n                 in Table 1.2 (on the next page).\n\n\n\n\n(9) review, and (10) correction. EPA advocates that managers incorporate the Principles into existing management\nprocesses, program strategies, and guidance to strengthen program operations.\n\n\n                                                        4\n\x0c                                                                                          Report No. 09-P-0203\n\n\n                 Table 1.2: OCFO Responsibilities per EPA Order 1000.24\n                  Chief Financial Officer\n\n                      \xef\x82\xb7   Develop and administer EPA\xe2\x80\x99s guidance to ensure compliance with FMFIA\n                          and OMB Circular A-123;\n                      \xef\x82\xb7   Ensure that the Agency implements FMFIA and OMB Circular A-123 at\n                          appropriate organizational levels; and\n                      \xef\x82\xb7   Provide annual management integrity/A-123 guidance to the Agency.\n                  Office of Planning, Analysis, and Accountability\n\n                      \xef\x82\xb7   Plan, develop, and implement national policies for ensuring EPA\xe2\x80\x99s\n                          compliance with FMFIA;\n                      \xef\x82\xb7   Develop and implement a strategy for validating Agency-wide compliance\n                          with FMFIA;\n                      \xef\x82\xb7   Develop the form and content of the Administrator\xe2\x80\x99s annual statement of\n                          assurance on management controls based on recommendations and\n                          annual assurance letters from senior managers/senior assessment team;\n                      \xef\x82\xb7   Maintain technical expertise in the field of internal controls;\n                      \xef\x82\xb7   Provide technical assistance to program managers and staff; and\n                      \xef\x82\xb7   Provide supplemental guidance and training materials as needed to support\n                          senior managers in interpreting and applying EPA Order 1000.24.\n                 Source: EPA Order 1000.24 \xe2\x80\x9cManagement\xe2\x80\x99s Responsibility for Internal Control\xe2\x80\x9d (July 18,\n                 2008).\n\n                 OCFO issues annual guidance to program and regional offices on complying with\n                 FMFIA, and for FYs 2008 and 2009, OCFO\xe2\x80\x99s guidance included a reporting\n                 template with specific instructions for completing each section of assurance\n                 letters. For example, in FYs 2008 and 2009, OCFO\xe2\x80\x99s annual guidance included\n                 seven specific elements program and regional offices needed to address in\n                 assurance letters under the Control Environment standard.2 OCFO\xe2\x80\x99s guidance\n                 also listed significant financial processes to review, such as accounts receivable,\n                 grants, procurement, accounts payable, and payroll, as well as core administrative\n                 areas (e.g. purchase card, property management, funds control). OCFO also\n                 attached the Internal Control Evaluation Checklist, an abbreviated version of\n                 GAO\xe2\x80\x99s full Internal Control Management and Evaluation Tool that Assistant and\n                 Regional Administrators could use to evaluate their internal controls. The FY\n                 2009 guidance required offices to complete the Checklist and retain a copy as\n                 supporting documentation. The FY 2009 guidance also provided references to\n                 obtain full text of GAO\xe2\x80\x99s Standards and EPA\xe2\x80\x99s Order. Program and regional\n                 office assurance letters provide the basis for the Agency\xe2\x80\x99s annual assurance\n                 statement. The Agency\xe2\x80\x99s Performance and Accountability Reports due to the\n                 President and Congress each year describe progress made to strengthen internal\n                 controls.\n\n2\n OCFO identified the following seven \xe2\x80\x9ccontrol environment\xe2\x80\x9d elements for which offices needed to report in\nassurance letters: (1) integrity and ethical values, (2) commitment to competence, (3) management\xe2\x80\x99s philosophy and\noperating style, (4) organizational structure, (5) assignment of authority and responsibility, (6) human resource\npolicies and practices, and (7) oversight groups. OCFO said it drew these elements from GAO\xe2\x80\x99s Standards and\nfocused on them due to past questions from Agency offices on the control environment.\n\n\n                                                        5\n\x0c                                                                                     Report No. 09-P-0203\n\n\nScope and Methodology\n                We conducted our review, in accordance with Government Auditing Standards,\n                from January to May 2009.3 Government Auditing Standards require that we plan\n                and perform the review to provide a reasonable basis for our findings and\n                conclusions, and we believe the evidence we obtained meets that standard based\n                upon our review objectives. Our review findings only address EPA\xe2\x80\x99s\n                implementation of Section 2 of FMFIA (internal control over programs), and not\n                Section 4 (financial accounting systems) or Appendix A of OMB Circular A-123\n                (internal control over financial reporting). While evaluating how EPA\xe2\x80\x99s Office of\n                Research and Development (ORD) implements FMFIA,4 we identified issues\n                related to OCFO\xe2\x80\x99s Agency-wide management integrity guidance. We reviewed\n                OCFO\xe2\x80\x99s FY 2009 FMFIA guidance issued on December 22, 2008. Following\n                OCFO\xe2\x80\x99s issuance of FY 2009 guidance, we participated in meetings that OCFO\n                held on the Agency\xe2\x80\x99s FY 2009 FMFIA reporting process, and spoke with OCFO\n                about enhancing its reporting template. We provided written comments to OCFO\n                on January 30, 2009, suggesting that they revise the FY 2009 FMFIA guidance\n                reporting template. We also reviewed FY 2008 assurance letters from three\n                program5 and four regional6 offices, and interviewed the Management Integrity\n                Advisors in each office on their awareness and understanding of internal controls\n                and examples of internal control compliance in assurance letters. The\n                size/resource budget of program and regional offices we reviewed include some\n                of the largest dollar and full-time equivalent components of the Agency, and\n                OCFO recommended three of the seven offices as examples of good FMFIA\n                processes/assurance letters.7\n\n                Recently, the Office of Inspector General (OIG) issued a memorandum\n                recommending ways to strengthen management integrity processes affecting\n                specific activities under the American Recovery and Reinvestment Act of 2009,8\n                whereas this report addresses EPA\xe2\x80\x99s FMFIA reporting process generally. We\n                issue this early warning report to bring to the Agency\xe2\x80\x99s attention findings that\n                could impact FMFIA reporting by EPA offices in FY 2009 (reports due to the\n                Administrator by August 14, 2009) and to influence development of FY 2010\n                guidance.\n\n\n\n\n3\n  Related facts and observations arose during our current review of ORD\xe2\x80\x99s FMFIA implementation.\n4\n  We anticipate issuing our final report on ORD\xe2\x80\x99s FMFIA implementation in the fall of 2009.\n5\n  We reviewed fiscal 2008 FMFIA assurance letters from EPA\xe2\x80\x99s ORD, Office of Solid Waste and Emergency\nResponse (OSWER), and Office of Prevention, Pesticides, and Toxic Substances (OPPTS).\n6\n  We reviewed fiscal 2008 FMFIA assurance letters from EPA Regions 1, 2, 5, and 9.\n7\n  OCFO recommended that we review assurance letters from OSWER, OPPTS, and Region 5.\n8\n  US EPA OIG Special Report, Recommendation to Strengthen Management Integrity Processes Affecting Recovery\nAct Activities, Report No. 09-X-0145, April 27, 2009.\n\n\n                                                     6\n\x0c                                                                        Report No. 09-P-0203\n\n\nFindings\n\n           EPA Offices Have Not Developed Systematic Internal Control Review\n           Strategies\n\n           Based on our review of FY 2008 assurance letters, all seven EPA offices we\n           examined had not developed strategies that systematically and annually assess the\n           effectiveness and compliance of their programmatic internal controls with GAO\xe2\x80\x99s\n           Standards. Our review found that strategies did not address whether offices\n           established and evaluated internal controls over their programs in accordance with\n           GAO\xe2\x80\x99s Standards. In addition, strategies did not address implementation of other\n           statutory requirements such as GPRA or annual performance plans and\n           performance measures associated with NPM Guidance. For example, 2008 NPM\n           Guidance for OSWER identified six priority areas under its remedial program;\n           however neither the OSWER nor regional assurance letters we reviewed\n           addressed these priority areas or measures. Similarly, NPM Guidance for EPA\xe2\x80\x99s\n           clean air program identified priority areas specifically for the Agency\xe2\x80\x99s regional\n           offices, such as reducing diesel emissions; however, no regional letter we\n           reviewed mentioned risks or accomplishments related to that goal. We found that\n           strategies did not use GAO\xe2\x80\x99s Standards and did not consider program\n           performance information such as GPRA measures. Further, most Advisors\n           described FMFIA as primarily addressing administrative and financial elements\n           (as opposed to program performance), and all Advisors acknowledged that their\n           offices had not conducted risk or vulnerability assessments to identify needed\n           controls. OCFO recently issued a document to explain roles and responsibilities\n           between Advisors and lead region program staff. OCFO believes its document\n           will allow regions an opportunity to provide a consolidated regional perspective\n           to the appropriate NPM on current weaknesses or other emerging issues.\n\n           EPA Order 1000.24 requires that Assistant and Regional Administrators develop\n           and implement strategies to show how they will evaluate their internal controls\n           and the information they will use to report how they comply with FMFIA in their\n           annual assurance letters. The Order states that program managers have flexibility\n           in designing review strategies and directs them to use all credible sources of\n           information to assess effectiveness of internal controls. Information sources\n           specified by the Order include OIG and GAO audits, program evaluations, PART\n           or other similar reviews, and knowledge gained from daily operations. The Order\n           also notes that, in addition to FMFIA, managers should consider \xe2\x80\x9cother statutory\n           requirements\xe2\x80\x9d (such as GPRA) as part of the Agency\xe2\x80\x99s system of internal\n           controls, and that \xe2\x80\x9cprocesses, plans, policies, procedures, and performance\n           measures help organizations achieve results.\xe2\x80\x9d The Order further states that\n           Assistant and Regional Administrators should conduct their own reviews to\n           ensure they have the information necessary to make their evaluations (including a\n           plan to validate whether they achieved desired results). Further, OCFO\xe2\x80\x99s FY\n           2008 FMFIA guidance required that Assistant and Regional Administrators\n           provide a detailed description of their review strategies for assessing how well\n\n\n                                            7\n\x0c                                                                                          Report No. 09-P-0203\n\n\n                 internal controls over their programs perform, may be improved, and the degree to\n                 which they identify and address significant vulnerabilities. Results of these\n                 systematic review strategies provide the basis for annual assurance letters upon\n                 which the Administrator relies to assess the Agency\xe2\x80\x99s overall compliance with\n                 FMFIA.\n\n                 Agency Staff and Managers Need Additional Internal Control Training\n\n                 Advisors we interviewed had a range of training experience on FMFIA\n                 requirements. The majority of Advisors (four of seven) we interviewed believed\n                 they could benefit from additional training, especially on internal control\n                 standards and programmatic reviews.9 One senior manager suggested that OCFO\n                 consider tiered training for senior managers and Advisors that emphasizes,\n                 respectively, requirements per EPA Order 1000.24 and \xe2\x80\x9cnuts and bolts\xe2\x80\x9d of\n                 implementing and reporting (such as required administrative reviews, reporting\n                 elements, and milestone dates). Advisors suggested other elements, including\n                 training on:\n\n                          \xef\x82\xb7   Conducting internal control reviews for program staff (not just\n                              financial staff), and\n                          \xef\x82\xb7   Making OCFO\xe2\x80\x99s checklist useful for senior managers, perhaps by\n                              including specific programmatic examples.\n\n                 EPA Order 1000.24 requires OCFO\xe2\x80\x99s Office of Planning, Analysis, and\n                 Accountability to provide technical assistance and training to support program\n                 managers and staff. In FY 2008, OCFO offered a discretionary online training\n                 course, moderated by the Deputy Administrator, to briefly introduce internal\n                 control responsibilities. In 2008, in collaboration with OIG staff, OCFO offered\n                 staff-level training for Management Integrity Advisors that outlined basic steps\n                 for conducting a program review and provided tools and examples of how to\n                 document results of reviews. In response to requests for technical assistance,\n                 OCFO staff conducted individual management integrity briefings for senior\n                 managers in two offices.10 Additionally, OCFO holds one to two \xe2\x80\x9ckick-off\xe2\x80\x9d\n                 meetings or teleconferences with Management Integrity Advisors and senior\n                 managers upon issuing the annual guidance/template, which both OCFO and\n                 Advisors view as training on FMFIA requirements.\n\n                 OCFO agrees on the need for more in-depth training on assessing risk, developing\n                 program review strategies based on GAO\xe2\x80\x99s Standards, and reporting on how key\n                 activities fit together and expects to develop a strategy for comprehensive, tiered\n                 training by the end of FY 2009.\n\n\n\n9\n  During our interviews, we had to define and describe GAO\xe2\x80\x99s Standards to most Advisors. Most Advisors were\nalso not familiar with EPA\xe2\x80\x99s 1996 guidance document that listed the Agency\xe2\x80\x99s ten management integrity principles.\n10\n   OCFO said it briefed managers in OSWER and the Administrator\xe2\x80\x99s Office.\n\n\n                                                        8\n\x0c                                                                                                Report No. 09-P-0203\n\n\n                  OCFO Recently Strengthened Its FMFIA Guidance to Better Align\n                  with EPA Order 1000.24\n\n                  In FY 2008 OCFO revised its guidance from previous years to require that\n                  Agency senior managers evaluate their program\xe2\x80\x99s internal controls in accordance\n                  with GAO\xe2\x80\x99s five standards. As an attachment to the guidance, OCFO included an\n                  assurance letter template that provided \xe2\x80\x9cspecific instructions\xe2\x80\x9d for reporting results\n                  of internal control evaluations. However, the template only required reporting on\n                  one of the five GAO Standards, \xe2\x80\x9ccontrol environment.\xe2\x80\x9d OCFO explained that it\n                  outlined this standard in detail because Advisors and others expressed the greatest\n                  confusion over what to include in a discussion of \xe2\x80\x9ccontrol environment.\xe2\x80\x9d OCFO\n                  believes its guidance implicitly requires program and regional offices to apply\n                  GAO\xe2\x80\x99s Standards and that, by following OCFO\xe2\x80\x99s guidance, offices will in effect\n                  address all five standards. OCFO staff said it was not their responsibility to\n                  dictate to program and regional offices what to include in their program review\n                  strategy or how to conduct their assessments. However, OCFO agreed that its\n                  responsibility includes providing direction on steps in the FMFIA reporting\n                  process, and OCFO\xe2\x80\x99s annual guidance and template specifies the reporting format\n                  EPA offices must follow. OCFO acknowledges that most offices follow their\n                  template. Management Integrity Advisors we interviewed said OCFO\xe2\x80\x99s guidance\n                  provides administrative processes for completing assurance letters, and all\n                  Advisors stated they followed OCFO\xe2\x80\x99s guidance/template. During our\n                  interviews, we found that half of the Advisors were not familiar with GAO\xe2\x80\x99s\n                  Standards. Despite this, all Advisors we interviewed believed their offices\xe2\x80\x99\n                  assurance letters addressed all five standards, but could not provide examples as\n                  to how letters addressed the Standards. All but one assurance letter we reviewed\n                  did not comprehensively address the seven \xe2\x80\x9ccontrol environment\xe2\x80\x9d elements\n                  specified in Agency FMFIA guidance.11 All assurance letters we reviewed did\n                  not indicate that offices had conducted \xe2\x80\x9crisk assessment\xe2\x80\x9d on vulnerabilities\n                  toward meeting program goals, and did not assess and report on performance\n                  measures (a \xe2\x80\x9ccontrol activity\xe2\x80\x9d).\n\n                  In its FY 2009 FMFIA guidance issued on December 22, 2008, OCFO maintained\n                  the same template from FY 2008 guidance requiring that assurance letters address\n                  only the \xe2\x80\x9ccontrol environment\xe2\x80\x9d standard, but not the other four GAO Standards.\n                  We met with OCFO in January 2009 on ways to enhance the FY 2009 template to\n                  address all standards and documented our suggestions in a memorandum to the\n                  Acting Chief Financial Officer.12 We undertook our review of seven offices\xe2\x80\x99 FY\n                  2008 assurance letters to find further support for our suggestions to OCFO. Our\n                  ongoing communications with OCFO,13 coupled with newly developed\n                  management integrity processes affecting specific activities under the American\n\n11\n   Region 9\xe2\x80\x99s fiscal 2008 assurance letter provided a detailed description of activities related to all seven control\nenvironment elements.\n12\n   Melissa Heist, OIG\xe2\x80\x99s Assistant Inspector General for Audit, issued the memorandum to Maryann Froehlich,\nEPA\xe2\x80\x99s Acting Chief Financial Officer, on January 30, 2009.\n13\n   We briefed OCFO on our letter review results on April 14, 2009, and in a draft report issued on May 5, 2009.\n\n\n                                                            9\n\x0c                                                              Report No. 09-P-0203\n\n\nRecovery and Reinvestment Act of 2009, resulted in OCFO\xe2\x80\x99s decision to issue\nsupplemental FY 2009 FMFIA guidance. We reviewed OCFO\xe2\x80\x99s draft\nsupplemental guidance and suggested specific text \xe2\x80\x93 including programmatic\nexamples \xe2\x80\x93 for OCFO to provide in its guidance. OCFO\xe2\x80\x99s supplemental FY 2009\nFMFIA guidance, issued on May 19, 2009, included our suggestions. OCFO\xe2\x80\x99s\nsupplemental guidance:\n\n       \xef\x82\xb7   Revised language for the general statement of assurance that all\n           Assistant and Regional Administrators must include in assurance\n           letters to more clearly address whether they assessed internal controls\n           and comply with GAO\xe2\x80\x99s Standards;\n       \xef\x82\xb7   Defined all five GAO Standards; and\n       \xef\x82\xb7   Provided examples of programmatic activities related to each GAO\n           Standard.\n\nOCFO Has Not Validated Annual Assurance Letters\n\nOCFO said its validation strategy does not include validating the content and\naccuracy of offices\xe2\x80\x99 assurance letters. OCFO assumes offices take seriously\nstatements in assurance letters asserting compliance, and noted that accountable\nofficials \xe2\x80\x93 Assistant and Regional Administrators \xe2\x80\x93 should verify assurance letter\ncontent to make compliance determinations. Management integrity staff in\nOCFO\xe2\x80\x99s Office of Planning, Analysis, and Accountability said they assume that if\nan office conducted a review and indicated no material weaknesses, then that\noffice did what it was supposed to do. OCFO does not ask offices to show that\neverything is fine.\n\nEPA Order 1000.24 requires OCFO to develop and implement a strategy for\nvalidating Agency-wide compliance with FMFIA and OMB Circular A-123. To\ndate, OCFO has not compiled a written strategy but said it will to include\nactivities such as annual guidance, kick-off meeting and update meetings, and\nongoing communication with Advisors \xe2\x80\x93 all of which we view as providing\nguidance and advising up-front as opposed to validating end results. Management\nIntegrity Advisors we interviewed expect OCFO to communicate any problems\nwith their offices\xe2\x80\x99 assurance letters. Advisors assumed their FY 2008 assurance\nletters met reporting requirements since OCFO accepted letters without comment.\nOCFO told us that when it receives assurance letters from program and regional\noffices, OCFO reviews them primarily for completeness against guidance and to\nidentify current and new material weaknesses, management challenges, and\nemerging issues that warrant the Administrator\xe2\x80\x99s attention. OCFO uses an\ninternal checklist to ensure that offices\xe2\x80\x99 letters addressed template headings and\nother requirements from OCFO\xe2\x80\x99s annual guidance. OCFO acknowledged that it\ndoes not review assurance letters to verify that offices reported all internal and\nexternal reviews, results of those reviews related to programmatic controls, or\nwhether offices addressed all elements in the checklist excerpted from GAO\xe2\x80\x99s\n\n\n\n\n                                10\n\x0c                                                                                              Report No. 09-P-0203\n\n\n                  tool. To date, OCFO has limited resources to oversee annual FMFIA reporting on\n                  programmatic elements,14 and OCFO considers its staffing levels adequate.\n\n                  OCFO acknowledged, however, that financial reporting has received emphasis\n                  over the past few years given extensive reporting requirements in that area in\n                  OCFO\xe2\x80\x99s annual guidance (e.g. accounts receivable, grants, procurement and\n                  accounts payable, payroll, purchase card, property management, funds control).\n                  OCFO\xe2\x80\x99s staff person responsible for management integrity said focus swung too\n                  far in the direction of financial reviews, thus missing programmatic elements.15\n                  When we asked whether OCFO intended to review fiscal 2009 assurance letters\n                  against GAO\xe2\x80\x99s Standards, OCFO responded, \xe2\x80\x9cOnly in that we have asked offices\n                  to comply with the checklist.\xe2\x80\x9d OCFO has not required offices to provide copies\n                  of completed checklists; rather offices will retain them for their records. We\n                  found that for FY 2008 letters we reviewed, offices did not use or complete the\n                  checklist. This year, OCFO has planned a new program compliance review to\n                  identify major problem areas and \xe2\x80\x9cwork with a contractor on where weaknesses\n                  are in the FMFIA implementation process\xe2\x80\x9d at selected Headquarters and regional\n                  offices to correct the Agency\xe2\x80\x99s management integrity approach in FY 2010.\n                  OCFO\xe2\x80\x99s review will identify areas where OCFO should strengthen its guidance,\n                  and gather specific input for developing training plans. We believe OCFO could\n                  use program compliance review results to also revise its validation strategy to\n                  include, at a minimum, how EPA offices meet each of the five GAO Standards\n                  and annually evaluate internal controls established under GAO\xe2\x80\x99s Standards.\n                  Program compliance reviews could also determine the extent to which offices\n                  incorporate GPRA measures and NPM Guidance elements into their FMFIA\n                  reporting and internal control structure. Additionally, OCFO should describe\n                  components of its validation strategy in FY 2010 guidance to make clear to EPA\n                  offices what OCFO uses to review assurance letters.\n\nConclusion\n                  Because OCFO did not require \xe2\x80\x93 and program and regional offices did not\n                  evaluate and report on \xe2\x80\x93 compliance with GAO\xe2\x80\x99s Standards in FY 2008, EPA\n                  risked not fully complying with FMFIA. These actions gave the Administrator no\n                  documented basis upon which to make a compliance determination when signing\n                  the Agency\xe2\x80\x99s FY 2008 letter. Assistant and Regional Administrators issue\n\n14\n   OCFO said it relies on a \xe2\x80\x9cteam\xe2\x80\x9d to focus on the programmatic aspect; however we found that OCFO relies upon\none project lead in its Office of Planning, Analysis, and Accountability. OCFO said other groups help review\nfinancial/administrative elements, such as financial reporting and oversight on grants and contracts.\n15\n   OCFO staff said focus shifted shortly after Congress enacted the Sarbanes-Oxley Act on July 30, 2002. The\nlegislation set new or enhanced standards for all U.S. public company boards, management and public accounting\nfirms and addressed issues relating to (1) auditor independence, (2) corporate responsibility, (3) enhanced financial\ndisclosures, and (4) accountability and certifying financial results. OMB revised Circular A-123 on December 21,\n2004, in light of new internal control requirements for publicly-traded companies contained in the Sarbanes-Oxley\nAct of 2002. Then Comptroller Linda Springer said in a memorandum, \xe2\x80\x9cThe policy changes in this circular are\nintended to strengthen the requirements for conducting management\xe2\x80\x99s assessment of internal control over financial\nreporting.\xe2\x80\x9d\n\n\n                                                          11\n\x0c                                                                      Report No. 09-P-0203\n\n\n        assurance letters to the Administrator without utilizing strategies that provide a\n        sound, documented basis for reasonably assuring that their programs implement\n        effective internal controls consistent with EPA Order 1000.24 and comply with\n        GAO\xe2\x80\x99s Standards. The Agency\xe2\x80\x99s OCFO-driven FMFIA process has emphasized\n        administrative and financial reporting over programmatic performance and \xe2\x80\x93 until\n        recently \xe2\x80\x93 has not integrated other relevant Agency-wide processes such as annual\n        performance plans, measures, and results to evaluate internal controls. OCFO\xe2\x80\x99s\n        recent emphasis on all five GAO internal control standards, as well as increased\n        awareness through training, could help EPA offices improve certifications to the\n        Administrator that they have effective and efficient program operations.\n\nRecommendations\n        We recommend that the Chief Financial Officer:\n\n               1. Develop a training course on FMFIA that provides (a) senior managers\n                  with an overall understanding on internal controls and their\n                  responsibilities in EPA Order 1000.24, and (b) Management Integrity\n                  Advisors with details on implementing and reporting.\n\n               2. Develop fiscal 2010 FMFIA guidance and a reporting template that\n                  requires reporting all five GAO Standards to ensure consistency with\n                  OMB Circular A-123 and EPA Order 1000.24. Incorporate language\n                  in supplemental FMFIA guidance issued on May 19, 2009, into fiscal\n                  2010 guidance.\n\n               3. Revise the internal checklist that OCFO uses as part of its strategy for\n                  validating Agency-wide FMFIA compliance to confirm that EPA\n                  offices addressed each of the five GAO standards in evaluating their\n                  internal controls and identifying weaknesses. Describe, in its annual\n                  Agency guidance, OCFO's strategy for assessing offices' assurance\n                  letters for compliance.\n\n        We also recommend that the Administrator foster an environment that supports\n        internal control by:\n\n               4. Announcing the FY 2010 FMFIA process that describes the\n                  significance of annual FMFIA reporting and certification that\n                  programs comply with GAO\xe2\x80\x99s Standards.\n\n               5. Requiring all Senior Executive Service members, GS-15 managers,\n                  and Management Integrity Advisors to attend OCFO\xe2\x80\x99s initial FMFIA\n                  training course and annual updates.\n\n\n\n\n                                        12\n\x0c                                                                        Report No. 09-P-0203\n\n\nAgency Comments and OIG Evaluation\n         The Agency agreed with our draft report findings and concurred with our\n         recommendations for strengthening EPA\xe2\x80\x99s FMFIA implementation. Initially\n         OCFO disagreed with our third recommendation previously worded, \xe2\x80\x9cDetermine\n         staffing levels needed to implement requirements in EPA Order 1000.24 and\n         invest adequate resources to validate annual assurance letters against\n         administrative, financial, and programmatic review elements.\xe2\x80\x9d OCFO said it\n         relies on Assistant and Regional Administrators\xe2\x80\x99 signed personal statements of\n         assurance as the cornerstone of OCFO\xe2\x80\x99s validation strategy and as the primary\n         form of validating compliance with GAO internal control standards. We met with\n         OCFO to clarify that our recommendation did not imply that EPA Order 1000.24\n         required OCFO to independently test the content of EPA offices\xe2\x80\x99 assurance\n         letters; a mandate which OCFO said would require detailed programmatic\n         knowledge, technical expertise, and substantial resources. We agree that OCFO\n         lacks the technical expertise and resources necessary to perform in-depth reviews\n         of letter contents. However, we believe \xe2\x80\x9cvalidating\xe2\x80\x9d includes OCFO\xe2\x80\x99s assurance\n         that offices applied all relevant information \xe2\x80\x93 consistent with our report findings \xe2\x80\x93\n         to support signed assurance statements. As such, we discussed with OCFO how\n         its validation strategy should address how OCFO assesses how each EPA office\n         met \xe2\x80\x93 and annually evaluated internal controls established under \xe2\x80\x93 each of GAO\xe2\x80\x99s\n         five standards. We revised our recommendation wording to reflect our\n         discussions and consensus with OCFO. OCFO agreed and said it plans to revise\n         the internal checklist it uses to validate assurance letters to include GAO\xe2\x80\x99s five\n         standards. OCFO believes it has adequate resources to revise and apply this\n         validation strategy. OCFO also believes EPA offices are equipped to address\n         expanded requirements (i.e. all five GAO standards) under the planned FY 2010\n         FMFIA process. Further, OCFO indicated that its validation strategy is unwritten\n         but includes: (1) signed assurance statements, (2) annual guidance, (3) regular\n         meetings, (4) training and technical assistance, (5) internal checklist against which\n         to review assurance letters, and (6) program compliance reviews. We suggested \xe2\x80\x93\n         and OCFO agreed \xe2\x80\x93 that it should codify this validation strategy in annual\n         guidance to make clear to EPA offices how OCFO validates Agency-wide\n         FMFIA compliance. Appendix A includes EPA\xe2\x80\x99s full response.\n\n\n\n\n                                          13\n\x0c                                                                                                                            Report No. 09-P-0203\n\n\n\n\n                                 Status of Recommendations and\n                                   Potential Monetary Benefits\n\n                                                                                                                              POTENTIAL MONETARY\n                                                    RECOMMENDATIONS                                                            BENEFITS (in $000s)\n\n                                                                                                                Planned\n    Rec.    Page                                                                                               Completion      Claimed   Agreed To\n    No.      No.                          Subject                        Status1        Action Official           Date         Amount     Amount\n\n     1       12     Develop a training course on FMFIA.                     O        Chief Financial Officer\n\n\n     2       12     Develop FY 2010 FMFIA guidance and a reporting          O        Chief Financial Officer\n                    template that requires reporting all five GAO\n                    Standards to ensure consistency with OMB\n                    Circular A-123 and EPA Order 1000.24.\n                    Incorporate language in supplemental FMFIA\n                    guidance issued on May 19, 2009, into FY 2010\n                    guidance.\n\n     3       12     Revise the internal checklist that OCFO uses as         O        Chief Financial Officer\n                    part of its strategy for validating Agency-wide\n                    FMFIA compliance to confirm that EPA offices\n                    addressed each of the five GAO standards in\n                    evaluating their internal controls and identifying\n                    weaknesses. Describe, in its annual Agency\n                    guidance, OCFO's strategy for assessing offices'\n                    assurance letters for compliance.\n\n     4       12     Announce the FY 2010 FMFIA process that                 O            Administrator\n                    describes the significance of annual FMFIA\n                    reporting and certification that programs comply\n                    with GAO Standards.\n\n     5       12     Require that all Senior Executive Service               O            Administrator\n                    members, GS-15 managers, and Management\n                    Integrity Advisors attend OCFO\xe2\x80\x99s initial FMFIA\n                    training course and annual updates.\n\n\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is undecided with resolution efforts in progress\n\n\n\n\n                                                                                14\n\x0c                                                                              Report No. 09-P-0203\n\n\n                                                                                     Appendix A\n\n                   Agency Response to Draft Report\n                                          July 16, 2009\n\nMEMORANDUM\n\nSUBJECT:       OCFO Response to Draft Audit Report: EPA Should Use FMFIA to Improve\n               Programmatic Operations (Project No. 08-FY08-0323)\n\nFROM:          Maryann Froehlich /signed by/    Joshua Baylson\n               Acting Chief Financial Officer\n\nTO:            Melissa M. Heist\n               Assistant Inspector General for Audit\n\n       This memorandum responds to the Office of Inspector General (OIG) draft audit report,\nEPA Should Use FMFIA to Improve Programmatic Operations (Project No. 08-FY08-0323),\ndated June 22, 2009.\n\n        The Office of the Chief Financial Officer (OCFO) appreciates your consideration of the\ncomments and suggestions we offered on the discussion draft report, EPA Federal Managers\xe2\x80\x99\nFinancial Integrity Act (FMFIA) Process Improvements, and the resulting modifications\nreflected in this draft report. We are now responding to you on behalf of both OCFO and the\nOffice of the Administrator (OA), as your report was issued to both offices. We have worked\nclosely with OA to prepare the following consolidated response, which represents the views of\nboth offices.\n\n         In general, OA and OCFO agree with the findings presented in the draft report and\nsupport the majority of OIG\xe2\x80\x99s recommendations for strengthening EPA\xe2\x80\x99s FMFIA\nimplementation. We will be working together to implement recommendations for the\nAdministrator to continue emphasizing to senior managers the importance of FMFIA and of\nsound internal controls. We do, however, remain concerned about Recommendation 3\xe2\x80\x94that\nOCFO \xe2\x80\x9cinvest adequate resources to validate annual assurance letters against administrative,\nfinancial, and programmatic review elements.\xe2\x80\x9d We continue to work closely with program and\nregional offices to strengthen their implementation of FMFIA and ensure a sound basis for their\nletters of assurance to the Administrator, which provide the foundation for the Administrator\xe2\x80\x99s\noverall statement of assurance. We believe that OCFO is fulfilling its responsibility, outlined in\nEPA Order 1000.24, to implement a strategy for validating Agency-wide compliance with the\nIntegrity Act.\n\n        Please find attached our responses to each of the recommendations contained in the draft\nreport. As we have agreed with Patrick Gilbride (via a July 1, 2009 email exchange), we will\nprovide planned completion dates for all recommendations once OIG has issued its final report.\n\n\n\n                                                15\n\x0c                                                                              Report No. 09-P-0203\n\n\nIn addition, I have attached a copy of the draft report that we have annotated with a few specific\ncomments and suggestions. If you would like to discuss these attachments further, please have\nyour staff contact Debbie Rutherford (202-564-1913) or Annette Morant (202-564-3671) in\nOCFO\xe2\x80\x99s Office of Planning, Analysis, and Accountability.\n\n       We appreciate your sharing these findings and recommendations with OCFO and OA,\nand we look forward to working with you to strengthen the Agency\xe2\x80\x99s management integrity\nprogram.\n\nAttachments\n\ncc:      Scott Fulton\n         Ray Spears\n         Josh Baylson\n         Rita Smith\n         Stefan Silzer\n         Patrick Gilbride\n         Erin Barnes-Weaver\n\n                                  OCFO and OA Response to\n                              OIG Draft Report Recommendations:\n\n                  EPA Should Use FMFIA to Improve Programmatic Operations\n                                 Project No. OA-FY08-0323\n                                       June 22, 2009\n\n\n1. Develop a training course on FMFIA that provides (a) senior managers with an overall\n   understanding on internal controls and their responsibilities in EPA Order 1000.24, and (b)\n   Management Integrity Advisors with details on implementing and reporting.\n\n      Concur. OCFO agrees that further training is needed at both senior manager and\n      Management Integrity Advisor (MIA) levels. At a June meeting of Assistant Regional\n      Administrators, Office of Planning, Analysis, and Accountability (OPAA) staff led a brief\n      discussion to help identify training needs and potential approaches and mechanisms. We\n      continue to consult with MIAs to determine their training and information needs. In addition,\n      beginning in late July/early August, OCFO will be conducting contractor-supported Program\n      Compliance Reviews in several selected regional and program offices. Preliminary surveys\n      and the on-site reviews will help to diagnose training needs and inform development of\n      training tools and materials. (OCFO expects the on-site reviews also to provide some \xe2\x80\x9con the\n      spot\xe2\x80\x9d training/assistance to MIAs in participating offices.) In addition, OCFO is dedicating\n      contract resources to a more comprehensive training effort, and we will be working with\n      training experts to explore vehicles/mechanisms for delivering the training. We expect to\n      complete development of an Agency-wide strategy for comprehensive, tiered FMFIA\n      training by the end of fiscal year 2009.\n\n\n\n\n                                                 16\n\x0c                                                                             Report No. 09-P-0203\n\n\n2. Develop fiscal 2010 FMFIA guidance and a reporting template that requires reporting all five\n   GAO standards to ensure consistency with OMB Circular A-123 and EPA Order 1000.24.\n   Incorporate language in supplemental FMFIA guidance issued on May 19, 2009, into fiscal\n   2010 guidance.\n\n   Concur. OCFO agrees on the need to revise our guidance and assurance letter template so\n   that assurance letters clearly address all five GAO standards. The Acting CFO\xe2\x80\x99s February\n   19, 2009 memo to the Assistant Inspector General for Audit makes this commitment for FY\n   2010. In developing FY 2010 guidance, we will incorporate elements of the FY 2009\n   supplemental guidance issued on May 19, including an emphasis on the need for all\n   programs to comply with the five GAO standards for internal control and the revised\n   Assistant Administrator (AA) and Regional Administrator (RA) assurance statement\n   certifying compliance with the GAO standards.\n\n3. Determine staffing levels needed to implement requirements in EPA Order 1000.24 and\n   invest adequate resources to validate annual assurance letters against administrative,\n   financial, and programmatic review elements.\n\n   Disagree. EPA holds AAs and RAs accountable for their integrity programs and internal\n   controls. OCFO relies on AAs\xe2\x80\x99 and RAs\xe2\x80\x99 signed personal statements of assurance as the\n   primary form of validation of compliance with GAO standards for internal control. These\n   signed statements testify to the soundness of the internal controls established to protect EPA\n   programs from fraud, waste, and abuse. EPA Order 1000.24 requires that OPAA \xe2\x80\x9cdevelop\n   and implement a strategy for validating Agency-wide compliance with FMFIA.\xe2\x80\x9d The signed\n   letters of assurance to the Administrator are the cornerstone of this strategy. OPAA staff use\n   a checklist to review annual assurance letters for completeness, ensuring that AAs and RAs\n   have adequately addressed all elements set out in annual guidance, as well as to identify\n   potential weaknesses or areas of concern for the Administrator\xe2\x80\x99s attention. OPAA\xe2\x80\x99s strategy\n   for fostering compliance with FMFIA also includes issuing annual guidance, conducting\n   regular meetings with senior managers to review roles and responsibilities, and providing\n   training and technical assistance to Agency staff and managers.\n\n   OCFO believes EPA Order 1000.24 was never intended to require that OCFO independently\n   validate the content of each of 13 program office and 10 regional office assurance letters, a\n   mandate which would require wide-ranging, detailed programmatic knowledge and technical\n   expertise as well as substantial resources. OCFO does not agree that the responsibility for\n   developing and implementing a strategy to validate the Agency\xe2\x80\x99s compliance with FMFIA\n   requires OCFO to \xe2\x80\x9cverify that offices reported all internal and external reviews\xe2\x80\x9d and the\n   \xe2\x80\x9cresults of those reviews related to programmatic controls\xe2\x80\x9d (p. 10). However, OPAA staff do\n   carefully review letters to ensure that \xe2\x80\x9coffices addressed all elements in the checklist OCFO\n   provided along with its\xe2\x80\x99 FY 2008 and 2009 guidance (p. 10),\xe2\x80\x9d and we rely on AAs\xe2\x80\x99 and RAs\xe2\x80\x99\n   statements of assurance that they have reviewed internal controls in compliance with GAO\n   standards.\n\n   OIG\xe2\x80\x99s statement that \xe2\x80\x9cOCFO has one project lead\xe2\x80\x94supported by additional staff\xe2\x80\x94to oversee\n   EPA\xe2\x80\x99s management integrity program, including extensive administrative and financial\n   reporting activities\xe2\x80\x9d is misleading. In fact, OCFO relies on a team within OPAA to focus on\n\n\n                                               17\n\x0c                                                                              Report No. 09-P-0203\n\n\n   the overall Agency FMFIA implementation process and, in particular, the programmatic\n   aspect, and a team within its Office of Financial Management to focus on Agency-wide\n   financial activities, including controls over financial reporting. In addition, in reviewing\n   assurance letters, OCFO collaborates with appropriate program offices, such as the Office of\n   Administration and Resource Management and the Office of Environmental Information, to\n   assess such components of assurance letters as discussion of grants and contracts, human\n   capital, or data quality/information reporting systems.\n\n   OCFO does, however, acknowledge the need to strengthen compliance with FMFIA and\n   improve monitoring. Beginning in late July/early August 2009, OPAA will be initiating a\n   series of Program Compliance Reviews in selected headquarters and regional offices. To\n   augment OPAA efforts, contractor staff with expertise in FMFIA and internal controls will\n   conduct on-site visits to assess offices\xe2\x80\x99 documentation for their assurance letters and assist\n   them in improving their FY 2010 FMFIA process. These activities will support efforts to\n   ensure that assurance letters adequately reflect and validate Agency-wide compliance with\n   FMFIA.\n\n4. Announcing the FY 2010 FMFIA process that describes the significance of annual FMFIA\n   reporting and certification that programs comply with GAO\xe2\x80\x99s Standards.\n\n   Concur. OCFO will work with the Office of the Administrator to develop an announcement\n   or other communication from the Administrator to help launch the FY 2010 FMFIA process.\n   The Administrator\xe2\x80\x99s message will stress the importance of the integrity process and of AAs\xe2\x80\x99\n   and RAs\xe2\x80\x99 assurance statements certifying compliance with GAO standards.\n\n5. Requiring all Senior Executive Service members, GS-15 managers, and Management\n   Integrity Advisors to attend OCFO\xe2\x80\x99s initial FMFIA training course and annual updates.\n\n   Concur. OCFO will work with OA to incorporate such a direction from the Administrator as\n   part of its strategy for tiered, Agency-wide FMFIA training.\n\n\n\n\n                                                18\n\x0c                                                                            Report No. 09-P-0203\n\n\n                                                                                  Appendix B\n\n                                    Distribution\nOffice of the Administrator\nAgency Follow-up Official (the CFO)\nAgency Follow-up Coordinator\nActing General Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for Public Affairs\nAudit Follow-up Coordinator, Office of the Administrator\nAudit Follow-up Coordinator, Office of the Chief Financial Officer\nActing Inspector General\n\n\n\n\n                                             19\n\x0c"